MyPrestaModules ordersexport before v5.0 was discovered to contain multiple SQL injection vulnerabilities at send.php via the key and save_setting parameters.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Orders (CSV, Excel) Export PRO” (ordersexport) from MyPrestaModules for PrestaShop, an anonymous user can perform SQL injection up to 5.0. Release 5.0 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-40923
*   **Published at**: 2023-11-09
*   **Advisory source**: Friends-Of-Presta.org
*   **Vendor**: PrestaShop
*   **Product**: ordersexport
*   **Impacted release**: < 5.0 (5.0 fixed the vulnerability)
*   **Product author**: MyPrestaModules
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Before 5.0, sensitives SQL calls in class send.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted “key” or “save\_setting” variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Steal/Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch**

    --- a/ordersexport/send.php
    +++ b/ordersexport/send.php
    @@ -170,7 +170,7 @@ try {
         $config = array();
         $config = Tools::unserialize(Configuration::get('GOMAKOIL_EXPORT_ORDERS_SETTINGS','', $default_shop_group_id, $default_shop_id));
         $key = Tools::getValue('key');
    -    Db::getInstance()->delete('exported_order', 'settings="'.trim($key).'"');
    +    Db::getInstance()->delete('exported_order', 'settings="'.pSQL($key).'"');
         unset($config[trim($key)]);
         $config_save =serialize($config);
         Configuration::updateValue('GOMAKOIL_EXPORT_ORDERS_SETTINGS', $config_save, false, $default_shop_group_id, $default_shop_id);
    @@ -314,7 +314,7 @@ try {
           $automatic = Tools::getValue('automatic');
           $not_exported = Tools::getValue('not_exported');
           if(isset($automatic) && $automatic && isset($not_exported) && $not_exported ){
    -        Db::getInstance()->delete('exported_order', 'settings="'.trim(Tools::getValue('save_setting')).'"');
    +        Db::getInstance()->delete('exported_order', 'settings="'.pSQL(Tools::getValue('save_setting')).'"');
           }
           $json['success'] = $ordersexport->l('Data successfully saved!', 'send');
         }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ordersexport**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2022-10-09

Issue discovered during a code reviews by 202 ecommerce

2022-10-10

Contact the author

2022-10-10

The author confirm the latest release is already fixed

2023-08-15

Request a CVE ID

2023-10-11

Received CVE ID

2023-11-09

Publication of this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40923: [CVE-2023-40923] Improper neutralization of an SQL parameter in MyPrestaModules - Orders (CSV, Excel) Export PRO module for PrestaShop

Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripting (XSS) via NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “NKM GLS” (nkmgls) up to version 3.0.1 from Nukium for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (stored XSS) from FRONT to BACK (F2B) of Category 2 within the funnel order in affected versions.

Note : To succeed in this exploit, the red team needs to pay to convert a cart into a valid order with GLS carrier and require the administrator of the PS to check a specific screen within its backoffice.

**Summary**

*   **CVE ID**: CVE-2023-47309
*   **Published at**: 2023-11-14
*   **Platform**: PrestaShop
*   **Product**: nkmgls
*   **Impacted release**: <= 3.0.1 (3.0.2 fixed the vulnerability)
*   **Product author**: Nukium
*   **Weakness**: CWE-79
*   **Severity**: critical (9.0)

**Description**

As all XSS type 2 (Stored XSS) F2B (Front to Back), there are two steps and a prerequisite.

Prerequisite :

*   The field phone_mobile within table gls\_cart\_carrier suffers from a type varchar(255) which is large enough to allow dangerous XSS payloads.

Steps :

*   The method NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile does not properly clean the parameter gls_customer_mobile. pSQL is useless against XSS which exploits HTML tag attributes (Category 2 according to OWASP - pSQL only neutralized Category 1 thanks to its strip\_tags).
*   The output in the backoffice is not escaped in the related smarty template that uses it.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: required
*   **Scope**: changed
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Possible malicious usage**

*   Unlock design critical vulnerabilities, see this.

**Patch from 3.0.2**

    --- a/controllers/front/checkout.php
    +++ b/controllers/front/checkout.php
    
     <?php
     
    +use Nukium\GLS\Common\Exception\GlsException;
     use Nukium\GLS\Common\Legacy\GlsController;
     
     require_once dirname(__FILE__) . '/../../vendor/autoload.php';
    @@ -25,54 +26,63 @@ class NkmGlsCheckoutModuleFrontController extends ModuleFrontController
                 'message' => ''
             );
     
    -        $phone_mobile = Tools::getValue('gls_customer_mobile');
    -        $id_carrier = Tools::getValue('id_carrier');
    -        $is_relay = Tools::getValue('is_relay');
    -
    -        if ($cart && !empty($id_carrier)) {
    -            /**
    -             * Récupération du code produit GLS (dépend du transporteur sélectionné uniquement dans ce cas de figure
    -             * car l'enregistrement est appelé uniquement pour les transporteurs gls13h ou glsrelais)
    -             */
    -            $customer_address = new Address($cart->id_address_delivery);
    -            $customer_country_iso = '';
    -            if ($customer_address) {
    -                $customer_country_iso = Country::getIsoById($customer_address->id_country);
    +        try {
    +            $phone_mobile = Tools::getValue('gls_customer_mobile');
    +            if (!Validate::isPhoneNumber($phone_mobile)) {
    +                throw new GlsException($this->module->l('Please fill-in a valid mobile number (e.g. +XXXXXXXXXXX or 0XXXXXXXXX).', 'nkmgls'));
                 }
    -            $gls_product = $this->module->getGlsProductCode(
    -                (int)$id_carrier,
    -                $customer_country_iso
    -            );
     
    -            $query = new DbQuery();
    -            $query->select('c.*')
    -                ->from('gls_cart_carrier', 'c')
    -                ->where('c.`id_customer` = ' . (int) $cart->id_customer)
    -                ->where('c.`id_cart` = ' . (int) $cart->id);
    -
    -            if (Db::getInstance()->getRow($query)) {
    -                $sql = 'UPDATE ' . _DB_PREFIX_ . 'gls_cart_carrier SET `customer_phone_mobile`=\'' . pSQL($phone_mobile) . '\', `id_carrier`=' . (int) $id_carrier . ', `gls_product`=\'' . pSQL($gls_product) . '\'';
    -                // reset all data except mobile and gls_product
    -                if (! $is_relay) {
    -                    $sql .= ',`parcel_shop_id` = NULL, `name` = NULL, `address1` = NULL, `address2` = NULL, `postcode` = NULL,
    -                        `city` = NULL, `phone` = NULL, `phone_mobile` = NULL, `id_country` = NULL, `parcel_shop_working_day` = NULL';
    +            $id_carrier = Tools::getValue('id_carrier');
    +            $is_relay = Tools::getValue('is_relay');
    +
    +            if ($cart && !empty($id_carrier)) {
    +                /**
    +                 * Récupération du code produit GLS (dépend du transporteur sélectionné uniquement dans ce cas de figure
    +                 * car l'enregistrement est appelé uniquement pour les transporteurs gls13h ou glsrelais)
    +                 */
    +                $customer_address = new Address($cart->id_address_delivery);
    +                $customer_country_iso = '';
    +                if ($customer_address) {
    +                    $customer_country_iso = Country::getIsoById($customer_address->id_country);
                     }
    -                $sql .= ' WHERE `id_customer`=' . (int) $cart->id_customer . ' AND `id_cart`=' . (int) $cart->id;
    +                $gls_product = $this->module->getGlsProductCode(
    +                    (int)$id_carrier,
    +                    $customer_country_iso
    +                );
    +
    +                $query = new DbQuery();
    +                $query->select('c.*')
    +                    ->from('gls_cart_carrier', 'c')
    +                    ->where('c.`id_customer` = ' . (int) $cart->id_customer)
    +                    ->where('c.`id_cart` = ' . (int) $cart->id);
    +
    +                if (Db::getInstance()->getRow($query)) {
    +                    $sql = 'UPDATE ' . _DB_PREFIX_ . 'gls_cart_carrier SET `customer_phone_mobile`=\'' . pSQL($phone_mobile) . '\', `id_carrier`=' . (int) $id_carrier . ', `gls_product`=\'' . pSQL($gls_product) . '\'';
    +                    // reset all data except mobile and gls_product
    +                    if (! $is_relay) {
    +                        $sql .= ',`parcel_shop_id` = NULL, `name` = NULL, `address1` = NULL, `address2` = NULL, `postcode` = NULL,
    +                            `city` = NULL, `phone` = NULL, `phone_mobile` = NULL, `id_country` = NULL, `parcel_shop_working_day` = NULL';
    +                    }
    +                    $sql .= ' WHERE `id_customer`=' . (int) $cart->id_customer . ' AND `id_cart`=' . (int) $cart->id;
     
    -                if (Db::getInstance()->Execute($sql)) {
    -                    $return['result'] = true;
    -                } else {
    -                    $return['message'] = $this->module->l('Unexpected error occurred.', self::L_SPECIFIC);
    -                }
    -            } else {
    -                if (Db::getInstance()->Execute('INSERT INTO ' . _DB_PREFIX_ . 'gls_cart_carrier
    -                    (`id_customer`, `id_cart`, `id_carrier`, `gls_product`, `customer_phone_mobile`)
    -                    VALUES (' . (int) $cart->id_customer . ', ' . (int) $cart->id . ', ' . (int) $id_carrier . ', \'' . pSQL($gls_product) . '\', \'' . pSQL($phone_mobile) . '\')')) {
    -                    $return['result'] = true;
    +                    if (Db::getInstance()->Execute($sql)) {
    +                        $return['result'] = true;
    +                    } else {
    +                        throw new GlsException($this->module->l('Unexpected error occurred.', self::L_SPECIFIC));
    +                    }
                     } else {
    -                    $return['message'] = $this->module->l('Unexpected error occurred.', self::L_SPECIFIC);
    +                    if (Db::getInstance()->Execute('INSERT INTO ' . _DB_PREFIX_ . 'gls_cart_carrier
    +                        (`id_customer`, `id_cart`, `id_carrier`, `gls_product`, `customer_phone_mobile`)
    +                        VALUES (' . (int) $cart->id_customer . ', ' . (int) $cart->id . ', ' . (int) $id_carrier . ', \'' . pSQL($gls_product) . '\', \'' . pSQL($phone_mobile) . '\')')) {
    +                        $return['result'] = true;
    +                    } else {
    +                        throw new GlsException($this->module->l('Unexpected error occurred.', self::L_SPECIFIC));
    +                    }
                     }
                 }
    +        } catch (GlsException $e) {
    +            $return['result'] = false;
    +            $return['message'] = $e->getMessage();
             }
     
             header('Content-Type: application/json');
    

    --- a/views/templates/admin/gls_label/label_list.tpl
    +++ b/views/templates/admin/gls_label/label_list.tpl
    
    @@ -186,7 +186,7 @@
                                                             {l s='Mobile' mod='nkmgls'}
                                                         </label>
                                                         <div>
    -                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile}{else}{$tr.customer_phone}{/if}" required="required" />
    +                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile|escape:'html':'UTF-8'}{else}{$tr.customer_phone|escape:'html':'UTF-8'}{/if}" required="required" />
                                                         </div>
                                                     </div>
                                                     {if $tr.id_country|in_array:$cee_countries === false}
    @@ -210,10 +210,10 @@
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **nkmgls**.
*   Systematically escape characters ‘ “ < and > by replacing them with HTML entities and applying strip\_tags - Smarty and Twig provide auto-escape filters : \`\`\`diff
*   Smarty: {$value.comment
    
    escape:’html’:’UTF-8’}
    
*   Twig: {{value.comment|e}}(without backslashes) \`\`\`
*   Limit to the strict minimum the length’s value in database - a database field that allow 10 characters (varchar(10)) is far less dangerous than a field that allows 40+ characters (use cases that can exploit fragmented XSS payloads are very rare)
*   Configure CSP headers (content security policies) by listing external domains allowed to load assets (such as js files) or being called in XHR transactions (Ajax).
*   If applicable: check against all your frontoffice’s uploaders, uploading files that will be served by your server that mime type application/javascript (like every .js natively) must be strictly forbidden as it must be considered as dangerous as PHP files.
*   Activate OWASP 941’s rules on your WAF (Web application firewall) - be warned that you will probably break your frontoffice/backoffice and you will need to preconfigure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-24

Issue discovered during a code review by TouchWeb.fr

2023-02-24

Contact the author who will provide a patch within 4 hours

2023-02-24

V3.0.2 available on https://store.nukium.com/ and https://addons.prestashop.com/

2023-03-10

Recontact author about the publication of the vulnerability

2023-03-12

Author completes the diff of this present CVE and asks for a delay to publish

2023-05-05

Recontact author about the publication of the vulnerability

2023-05-17

Author ask for another delay before publication

2023-07-15

Recontact author about the publication of the vulnerability

2023-09-17

Recontact author about the publication of the vulnerability

2023-09-30

Recontact author about the publication of the vulnerability

2023-10-30

Inform the author about the publication of the vulnerability

2023-10-30

Request a CVE ID

2023-11-08

Received CVE ID

2023-11-14

Publish this security advisory

**Links**

*   Author product page
*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-47309: [CVE-2023-47309] Improper Neutralization of Input During Web Page Generation in Nukium - NKM GLS module for PrestaShop

ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL injection vulnerability via the component Ybc_blogBlogModuleFrontController::getPosts().

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “BLOG - Drive High Traffic & Boost SEO” (ybc\_blog) in version up to 3.3.8 from PrestaHero (ETS Soft) for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-43979
*   **Published at**: 2023-11-14
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: ybc\_blog
*   **Impacted release**: <= 3.3.8 (4.4.0 fixed the vulnerability)
*   **Product author**: PrestaHero (ETS Soft)
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method Ybc_blogBlogModuleFrontController::getPosts() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

Reminder : Core method Validate::isCleanHtml() is useless against CWE-89, it only targets CWE-79

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 3.3.8**

    --- 3.3.8/modules/ybc_blog/controllers/front/blog.php
    +++ 4.4.0/modules/ybc_blog/controllers/front/blog.php
    ...
            } elseif (($tag = trim(Tools::getValue('tag'))) != '' && Validate::isCleanHtml($tag)) {
                if ($this->module->friendly && Tools::strpos($_SERVER['REQUEST_URI'], 'tag') !== false && Tools::strpos($_SERVER['REQUEST_URI'], 'ybc_blog') !== false)
                    $this->module->redirect($this->module->getLink('blog', array('tag' => $tag)));
                $md5tag = md5(urldecode(trim(Tools::strtolower($tag))));
    -           $filter .= " AND p.id_post IN (SELECT id_post FROM `" . _DB_PREFIX_ . "ybc_blog_tag` WHERE tag = '$tag' AND id_lang = " . $this->context->language->id . ")";
    +           $filter .= " AND p.id_post IN (SELECT id_post FROM `" . _DB_PREFIX_ . "ybc_blog_tag` WHERE tag = '" . pSQL($tag) . "' AND id_lang = " . $this->context->language->id . ")";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ybc\_blog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-21

Issue discovered during a code review by TouchWeb.fr

2023-05-21

Contact PrestaShop Addons security Team to confirm version scope by author

2023-05-22

PrestaShop Addons security Team confirm version scope

2023-09-21

Request a CVE ID

2023-09-27

Received CVE ID

2023-11-14

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-43979: [CVE-2023-43979] Improper neutralization of SQL parameter in PrestaHero (ETS Soft) - BLOG - Drive High Traffic & Boost SEO module for PrestaShop

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.

**Affected versions**

\>=2022.10.04

**Patched versions**

2023.11.14

**Impact**

The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.

To pass extra control data between extractors (such as headers like Referer), yt-dlp employs a concept of "url smuggling". This works by adding this extra data as json to the url fragment ("smuggling") that is then passed on to an extractor. The receiving extractor then "unsmuggles" the data from the input url. This functionality is intended to be internal only.

Currently, the Generic extractor supports receiving an arbitrary dictionary of HTTP headers in a smuggled url, of which it extracts and adds them to the initial request it makes to such url. This is useful when a url sent to the Generic extractor needs a Referer header sent with it, for example.

Additionally, yt-dlp has internal headers to set a proxy for a request: Ytdl-request-proxy and Ytdl-socks-proxy. While these are deprecated, internally Ytdl-request-proxy is still used for --geo-verification-proxy.

However, it is possible for a maliciously crafted site include these smuggled options in a url which then the Generic extractor extracts and redirects to itself. This allows a malicious website to **set an arbitrary proxy for an arbitrary url that the Generic extractor will request.**

This could allow for the following, but not limited too:

*   An attacker can MITM a request it asks yt-dlp to make to **any** website.
    *   If a user has loaded cookies into yt-dlp for the target site, which are not marked as secure, they could be exfiltrated by the attacker.
    *   Fortunately most sites are HTTPS and should be setting cookies as secure.
*   An attacker can set cookies for an arbitrary site.

An example malicious webpage:

<!DOCTYPE html\>
<cinerama.embedPlayer('t','{{ target\_site }}#\_\_youtubedl\_smuggle=%7B%22http\_headers%22:%7B%22Ytdl-request-proxy%22:%22{{ proxy url }}%22%7D,%22fake%22:%22.smil/manifest%22%7D')

Where {{ target_site }} is the URL Generic extractor will request and {{ proxy url }} is the proxy to proxy the request for this url through.

**Patches**

*   We have removed the ability to smuggle http_headers to the Generic extractor, as well as other extractors that use the same pattern.

**Workarounds**

*   Disable Generic extractor (--ies default,-generic), or only pass trusted sites with trusted content.
*   Take caution when using --no-check-certificate.

**References**

*   GHSA-3ch3-jhc6-5r8x
*   https://nvd.nist.gov/vuln/detail/CVE-2023-46121
*   https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14
*   f04b5be

CVE-2023-46121: Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Matthew Muro Restrict Categories plugin <= 2.6.4 versions.

**Solution**

 No fix

No patched version is available.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Restrict Categories Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47518: WordPress Restrict Categories plugin <= 2.6.4  - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.23.11.6 versions.

**Solution**

 No fix

No patched version is available. This plugin has been closed as of November 3, 2023 and is not available for download. This closure is temporary, pending a full review.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress SendPress Newsletters Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 4 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47517: WordPress SendPress Newsletters plugin <= 1.23.11.6 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three "zero day" vulnerabilities that Microsoft warns are already being exploited in active attacks.

**Microsoft** today released updates to fix more than five dozen security holes in its **Windows** operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.

**Kevin Breen**, senior director of threat research at **Immersive Labs**, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”

The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.

“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said **Mike Walters**, president and co-founder of the security firm **Action1**. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”

The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.

Beyond the zero day flaws, Breen said organizations running **Microsoft Exchange Server** should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.

Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.

Finally, the **SANS Internet Storm Center** points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in **ASP.NET Core**, with a CVSS score of 8.2; and CVE-2023-36413: A **Microsoft Office** security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.

Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Microsoft Patch Tuesday, November 2023 Edition

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum WP Crowdfunding plugin <= 2.1.6 versions.

**Solution**

 Fixed

Update the WordPress WP Crowdfunding plugin to the latest available version (at least 2.1.7).

Found this useful? Thank Abu Hurayra for reporting this vulnerability. Buy a coffee ☕

Abu Hurayra discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Crowdfunding Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.1.7.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47532: WordPress WP Crowdfunding plugin <= 2.1.6 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sajjad Hossain Sagor WP Edit Username plugin <= 1.0.5 versions.

**Solution**

 No fix

No patched version is available.

Jeongwoo-Lee(Roronoa) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Edit Username Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web